SOLVED Re: Memory leak in hush with NOMMU busybox-1.37.0
Denys Vlasenko
vda.linux at googlemail.com
Sat Aug 2 22:13:48 UTC 2025
On Fri, Aug 1, 2025 at 9:59 PM Harry Eaton <bumpelo at gmail.com> wrote:
> cur_var = cur_var->next;
> free(tmp);
> }
> + free(G.to_free);
> + G.to_free = NULL;
> + free(ptr_to_globals);
> }
> #endif
fflush_all();
#if ENABLE_HUSH_JOB
sigexit(- (exitcode & 0xff));
#else
Use-after-free: sigexit() uses globals.
> @@ -7657,9 +7663,6 @@
> {
> pid_t pid;
> int channel[2];
> -# if !BB_MMU
> - char **to_free = NULL;
> -# endif
>
> xpipe(channel);
> pid = BB_MMU ? xfork() : xvfork();
> @@ -7736,7 +7739,7 @@
> * huge=`cat BIG` # was blocking here forever
> * echo OK
> */
> - re_execute_shell(&to_free,
> + re_execute_shell(&G.to_free,
> s,
> G.global_argv[0],
> G.global_argv + 1,
> @@ -7754,7 +7757,8 @@
> # endif
> enable_restore_tty_pgrp_on_exit();
> # if !BB_MMU
> - free(to_free);
> + free(G.to_free);
> + G.to_free = NULL;
Can you explain how exactly this was leaking the allocation?
More information about the busybox
mailing list